Florida attorney James Curry, of Cyberlaw.io, discusses why every doctor should implement a cyber risk management program now.
Many doctors run small businesses of less than 100 employees. Typically, their IT infrastructure consists of one network supporting one office.
“Regardless of the size of their office, a small medical office or medical group with multiple offices is still required to implement a cyber risk management program in order to comply with various state and federal laws and regulations, such as the HIPAA Security Rule, along with the doctors’ ethical obligations regarding protection of the practice and its patients’ private personal health information,” said attorney Curry, founder of Cyberlaw.io, which provides information on cyber risk management and offers comprehensive legal forms for sale for small doctor’s offices, accountants, insurance professionals and other regulated small businesses.
For example, doctors must comply with the HIPAA Privacy Rule and the HIPAA Security Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes a national standard set of security standards for protecting certain health information that is held or transferred in electronic form.
“The Security Rule operationalizes the Privacy Rule by addressing the technical and non-technical safeguards that medical offices, as covered entities, must put in place to secure individuals’ electronic protected health information (e-PHI),” noted Curry.
Because HIPAA rules and regulations have been in effect for many years, most medical offices have developed policies and procedures that meet minimum compliance standards. “However, a medical office should go beyond compliance and implement a cyber risk management program as a business process related to risk management, which includes regular employee training, vendor management, penetration tests and vulnerability assessments,” added Curry.
By doing this, the medical office ensures that it is not only in compliance with HIPAA, but that it is also adequately managing cyber risk with appropriate resources, At a minimum, a medical office should have quarterly and annual reviews of its cyber risk management program, and require all employees to receive cyber risk training. It is also imperative that a medical office perform an annual cyber risk self-assessment along with penetration tests and vulnerability assessments. If it has been more than three years since a third party conducted an assessment of the medical office cyber risk management program, then the medical office should hire a consultant to conduct an independent assessment to establish a baseline and remediation plan to improve the practice’s cyber risk management posture.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. “Specifically, covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit,” concluded Curry. “They must also identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.”
About Cyberlaw.io
Cyberlaw.io is ideal for regulated small businesses that don’t have the money to pay for lawyers or expensive cybersecurity professionals. It meets the need for people who can’t justify the expense, so that they can get the paperwork they need and affordably stand up a cyber risk management program themselves. For more information, please call 1-833-232-9237 (1-833-23-CYBER), or visit https://www.cyberlaw.io/.
For media inquiries, please call the NALA at 805.650.6121, ext. 361.